Topic last updated—January 2008

Microsoft Forefront Client Security provides unified virus and spyware protection for business desktops, laptops, and server operating systems. You can use desired configuration management to monitor the Client Security agent on clients managed by Microsoft System Center Configuration Manager 2007 R2 sites.

The information in this topic applies only to Configuration Manager 2007 R2 and Configuration Manager 2007 R3.

To monitor the Client Security agent, you import the configuration pack included on the Configuration Manager 2007 R2 CD, assign the baseline to a collection that contains computers running the Client Security agent, and then monitor the compliance evaluation reports as you would for any other configuration baseline. No additional installation or configuration is needed.

Configuration Manager 2007 does not actually report back about malware or viruses detected; those alerts are monitored by Client Security as long as the Client Security agent is operating correctly.

Monitoring the Client Security Agent

This scenario demonstrates how customers can compare the configuration of their Client Security agent against best practices specified in the Microsoft System Center Configuration Manager 2007 Forefront Client Security Configuration Pack and can detect a potentially detrimental configuration before it negatively affects service level agreements (SLAs).

A. Datum Corporation has deployed Client Security as its antivirus and antispyware solution. Although the Client Security agent is quite reliable, Ellen Adams, a security administrator, wants to know if any clients are not actively using Client Security. Ellen has the goal of obtaining 99.5% compliance with Client Security configuration on all computers running the Client Security agent. Users who disable the Client Security agent might be subject to disciplinary action under the company security policy.

Tommy Hartono, the Configuration Manager administrator, learned that Microsoft published a configuration pack for Client Security in Configuration Manager 2007 R2 that can be applied with desired configuration management in Configuration Manager 2007. They decide to follow the course of action in the following table.

Process Reference

Tommy checks that the company's Configuration Manager 2007 site is enabled for desired configuration management and that all clients have the Microsoft .NET Framework version 2 or later.

How to Enable or Disable the Desired Configuration Management Client Agent

How to Identify Computers that Do Not Have the .NET Framework v2.0 for Desired Configuration Management

Tommy runs the Windows Installer file \FCS\FCSConfigPack.msi to extract the configuration baseline FCS_Configuration to his local hard drive. He then opens the Configuration Manager console and imports the FCS_Configuration, accepting all of the default wizard options.

How to Import Configuration Items in Desired Configuration Management

Tommy and Ellen review the configuration baseline and the configuration items created by the Import Configuration Data Wizard. They decide not to change any of the default configurations.

Configuration Baselines Home Page

Configuration Items Home Page

They assign the configuration baseline to a collection that contains clients running the Client Security agent and configure the evaluation schedule to run every two hours.

How to Assign Configuration Baselines in Desired Configuration Management

How to Set the Configuration Baseline Assignment Compliance Evaluation Schedule in Desired Configuration Management

When the compliance evaluation results are reported to the site, they view the compliance reports and confirm that there are no business requirements that explain why the clients are configured differently than Microsoft best practices configurations.

How to View Compliance Results for Desired Configuration Management

Tommy monitors the compliance of the laptops using the desired configuration management home page.

How to Use the Desired Configuration Management Home Page

Ellen checks the compliance reports every morning and investigates any non-compliance results before they put the company's computers at risk by not monitoring for viruses and malware.

Company-specific process.

Three months later, as a possible result of the desired configuration management implementation described in the preceding scenario, Ellen confirms that 99.99% of the clients in the organization are running Client Security and that they have sufficient uptime to reduce the risks posed by viruses and malware.

See Also